Chapter 2
Classical cryptography

Much of the material below is based on Chapter 1 of Cryptography: theory and practice by Douglas R. Stinson.

2.1  The basic idea

The aim of cryptography is to enable two people, often called Alice and Bob, to communicate over an insecure channel so that an opponent Oscar cannot understand their messages.

These days the channel might be a telephone line, or a computer network. However cryptography has a long history. In the past the channel may have been a published book or a newspaper article (and the `opponent' would have been an ordinary reader), or the channel may have been a soldier carrying a concealed message with the opponent being the enemy army. Examples can be found in any introduction to cryptography, for example in the Code Book (see recommended reading), or in

Bill Cherowitzo's notes at the University of Colorado.

We call Alice's message plaintext. Let's say her message is x. Alice encrypts the message by applying one of a set of rules. The rule e_K used depends on her choice of a secret key K. The encrypted message y=e_K(x), which we call ciphertext, is sent over the insecure channel to Bob. Separately, by a secure channel Alice sends Bob her secret key K, which he will need to decipher Alice's message. When Bob receives the encrypted message y he decrypts the message by applying the decryption rule d_K corresponding to the key K and retrieves Alice's plain text message x=d_K(y). Meanwhile the opponent Oscar has intercepted the ciphertext y, but (ideally) without knowledge of the key K he is unable to understand it.

2.2  A simple cryptosystem

Oscar's job is to find x, knowing y and without knowing the key K, but possibly knowing the type of encryption system used. This type of decryption is called cryptanalysis. We'll return to it later.

2.3  Shift ciphers

These form a family of ciphers based on modular arithmetic. One such cipher is reputed to have been used by Julius Caesar and is called the Caesar Cipher. Shift Ciphers, and the more general Affine Ciphers we'll meet later, are based on modular arithmetic. The basics of modular arithmetic are reviewed in Chapter 3.

Definition 1 (Shift Cipher) Let P=C=K=Z₂₆. For 0 £ K £ 25, define e_K:Z₂₆®Z₂₆ and d_K:Z₂₆®Z₂₆ as follows (for x, y Î Z₂₆).

eK(x)=x+K mod 26,    dK(y)=y-K mod 26

It is easy to see that each e_K(x) is a one-to-one function, and that d_K(e_K(x))=x for all x Î Z₂₆. Hence the Shift Cipher has the required properties for a cryptosystem.

The shift cipher with K=3 is the Caesar cipher.

We use Z₂₆ because there are 26 letters in the English alphabet. Shift ciphers can be defined for any modulus m.

2.4  Using a Shift Cipher

For ordinary English text set up a correspondence between the alphabetic characters and the integers 0,...,25 as in Table 2.2.

A shift cipher with key K operates by `shifting each letter K places to the left'. We illustrate with a simple example.

Example 1 Encrypt the following plaintext with a Shift Cipher with key K=11.

Conventions: We use lower case letters for plaintext and upper case letters for ciphertext. Often the spaces between words are removed.

Desirable properties for a cryptosystem:
It should be easy to encipher and decipher, that is, e_K and d_K should be efficiently computable.
It should be secure in the sense that, given the ciphertext, the opponent Oscar should be unable to find the key or the plaintext.

The Shift Cipher (modulo 26) is not secure. Oscar could conduct an exhaustive search by trying out all the possible 26 decryption rules d_K in turn until he discovers a plaintext that makes sense.

Example 2 Given the ciphertext

iujkhxkgqkxy
htijgwjfpjwx
gshifvieoivw
frgheuhdnhuv
eqfgdtgcmgtu
dpefcsfblfst
codebreakers

2.5  Substitution ciphers

For a general substitution cipher we require P=C, that is the same ciphertext and plaintext alphabet. In our examples we will take P to be the 26 letter alphabet and identify it with Z₂₆. The set of keys K will be the set of all permutations of P. For a permutation p Î K, the rules e_p and d_p are

ep(x)=p(x),   and    dp(y)=p-1(y)

where p^-1 is the inverse permutation of p, that is p^-1(y)=x if and only if p(x)=y. The number of these permutations is 26! » 10×4.0²⁶, so an exhaustive key search is infeasible, even using a computer. (However other methods of cryptanalysis can be used to break a substitution cipher, see later.)

A shift cipher is a special type of substitution cipher, and there are only 26 of them. Another special type of substitution cipher is an Affine Cipher. This is one for which the encryption rule is

e(x)=ax+b mod 26

for some a,b Î Z₂₆. To ensure that decryption is possible this function should be one-to-one (see Table 2.1). This happens if and only if gcd(a,26)=1 (see Lemma 3.3.0.1 in Chapter 3, and question 4 in Exercise Set 3.8). In Table 2.4 we give for easy reference a list of the multiplicative inverses for the 12 elements a Î Z₂₆ for which gcd(a,26)=1.

To decrypt the ciphertext y=e(x)=ax+b we need ax=y-b and hence x=a^-1(y-b). Thus we must apply the decryption rule

d(y)=a-1(y-b).

Example 1 Encrypt the plaintext fun using an affine cipher with key K=(7,5) (that is, with encryption rule e_K(x)=7x+5). Convert the letters f, u, n to residues modulo 26 using Table 2.2, and then apply e_K and convert back to letters, againusing Table 2.2.

Plaintext	x	eK(x)	Ciphertext
f	5	7·5+5=40=14 mod 26	O
u	20	7·20+5=145 = 15 mod 26	P
n	13	7·13+5=96=18 mod 26	S

Thus the encrypted message is OPS. Bob, knowing the key K=(7,5), decrypts this with the decryption rule d_K(y)=15(y-5) (since 7^-1=15).

Ciphertext	y	dK(y)	Plaintext
O	14	15(14-5)=135=5 mod 26	f
P	15	15(15-5)=150 = 20 mod 26	u
S	18	15(18-5)=195=13 mod 26	n

Note that affine ciphers are not computationally secure as there are only 26·12 = 72 possible keys, and an exhaustive search by computer is feasible.

2.6  Polyalphabetic, block and stream ciphers

The ciphers described so far are all monoalphabetic ciphers, that is, for each occurrence of a given letter in the plaintext, the same cipher letter is used. A famous cipher that is not monoalphabetic is the Vigenere cipher named after Blaise de Vigenere who lived in the 16th century. The key K is a `keyword' of length m, for example K might be `wombat' of length m=6. We encrypt the plaintext 6 letters at a time by `adding the keyword to the plaintext'. Here is an example. From Table 2.2, the letters of the keyword `wombat' correspond to the numbers 22, 14, 12, 1, 0, 19. We write these out repeatedly under the numbers corresponding to the plaintext, add the result and convert to ciphertext using the correspondence in Table 2.2. We encrypt `Bring me chocolate' in this way as follows.

Plaintext	b	r	i	n	g	m	e	c	h	o	c	o	l	a	t	e
x	1	17	8	13	6	12	4	2	7	14	2	14	11	0	19	4
keyword	22	14	12	1	0	19	22	14	12	1	0	19	22	14	12	1
eK(x)	23	5	20	14	6	5	0	16	19	15	2	7	7	14	5	5
Ciphertext	X	F	U	O	G	F	A	Q	T	P	C	H	H	O	F	F

To decrypt we follow essentially the same procedure, except that we `subtract the key word from the ciphertext' to regain the plaintext.

Using a keyword of length m, each plaintext letter x is mapped to one of m possible ciphertext letters. A cipher with this property is called polyalphabetic. Usually cryptanalysis is more difficult for polyalphabetic than monoalphabetic cryptosystems. For the Vigenere cipher, the number of possible keywords of length m is 26^m, which is quite large even for small values of m; for m=6 this is more than 3×10⁸. So for quite moderate keyword lengths, it becomes infeasible to search through all possible keywords.

In all ciphers considered so far, successive plaintext letters, or groups of letters, have been encrypted using the same key K, that is the ciphertext string y is obtained as y=y₁y₂... = e_K(x₁)e_K(x₂).... This type of cryptosystem is called a block cipher. For example, for a substitution cipher, each plaintext letter x_i is encrypted with the single encryption rule e_K to give a ciphertext letter y_i=e_K(x_i). Thus a substitution cipher is a block cipher with blocks of length 1. On the other hand, for a Vigenere cipher with key word K=(k₁,k₂,...,k_m) of length m, m different encryption rules e_k1,...,e_km are used for encrypting successive plaintext letters in each block of m plaintext letters, say x₁,x₂,...,x_m is encrypted as e_k1(x₁),...,e_km(x_m). We can think of this as a composite encryption rule e_K being applied to the string producing e_K(x₁x₂... x_m), a ciphertext string of length m. Thus we think of the Vigenere cipher as being a block cipher with blocks of length m: we apply the same composite encryption rule e_K to each block of length m of the plaintext.

We often want to send encrypted messages electronically and so we may wish to convert English symbols and numerals (whatever is in our normal plaintext alphabet) into strings of integers modulo 2 (that is, elements of Z₂, also called binary integers or bits). For example, since there are 2⁶=64 different bit strings of length 6, we would be able to assign a different bit string of length 6 to each of the 26 lower case letters, each of the 26 upper case letters, and each of the ten numerals, and still have two left over. Suppose we decided to group our plaintext into strings with five letters or numerals in each string, and to convert each letter or numeral into a bit string of length 6. Then we would have converted the plaintext into blocks each consisting of 30 bits. A cipher that encrypts these 30-bit strings block by block would be a block cipher with blocks of length 30. As far as the cipher is concerned the encryption key is acting on bit strings of length 30 and the plaintext alphabet P is the set of all 30-bit strings, so P contains 2³⁰ » 10⁹ different elements (30-bit strings).

Currently the most commonly used block ciphers have blocks consisting of bit strings of length 64. This means that the plaintext alphabet has 2⁶⁴ elements! However 64 bit blocks are becoming insecure against modern computer cryptanalytic attack, and block ciphers are moving towards having blocks of 1024 or 2048 bits.

Historically there are several other block ciphers we could mention that use different ideas, and that have influenced future developments. One polyalphabetic cipher that encrypts the plaintext m letters at a time is the Hill Cipher, invented in 1929 by Lester S. Hill. It utilises linear algebra over Z₂₆. The key K is an invertible m×m matrix with entries in Z₂₆, and each string of m characters from the Plaintext is first converted to a sequence x of m numbers in Z₂₆, so x Î Z₂₆^m. Then x is encrypted by multiplying by the matrix K: e_K(x)=xK. The decryption rule is d_K(y)=yK^-1.

Another block cipher is the transposition cipher, sometimes also called the permutation cipher. For this cipher, the plaintext message is divided into blocks of a certain length m, and a permutation p is applied to rearrange the letters in each block. For example, if m=5 and

p = æ è 1 2 3 4 5 3 1 4 5 2 ö ø    maps 1st letter ® 3rd place, 2nd letter® 1st place, etc

then we encrypt the plaintext `This is not secure' as:

Plaintext

t

h

i

s

i

s

n

o

t

s

e

c

u

r

e

Ciphertext

H

I

T

I

S

N

S

S

O

T

C

E

E

U

R

The transposition cipher can be decrypted by applying the inverse permutation p^-1. The transposition cipher is not secure against cryptanalytic attack. However a combination of a substitution cipher followed by a transposition cipher results in a cipher that is more difficult to break by hand.

An alternative to block ciphers is to use what are called stream ciphers. A keystream is generated z=z₁z₂... and used to encrypt a Plaintext x=x₁x₂... by the rule y = e_z1(x₁)e_z2(x₂).... The keystream elements z_i usually depend on the original key K and also on the preceding plaintext x₁, x₂,...,x_i-1. This approach can be used to model mathematically many cryptosystems, including the one-time pad (see below).

Start with a key K Î K and the plaintext string x=x₁x₂.... For each i there is a rule (function) f_i for generating the keystream element z_i based on the key K and x₁, x₂,...,x_i-1, that is,

zi=fi(K,x1, x2,...,xi-1).

We use z_i to generate y_i=e_zi(x_i). Thus we generate in order z₁, y₁, z₂, y₂,.... There must be a corresponding rule to allow `Bob' to find the z_i and decrypt x_i=d_zi(y_i), for each i.

Example 1 (a) A block cipher can be thought of as a special type of stream cipher by taking a constant keystream z_i=K for all i.

(b) A stream cipher is periodic with period d if z_i+d=z_i for all i. The Vigenere cipher with key word of length m can be thought of as a periodic stream cipher with period m. In this case the keyword K=(k₁,k₂,...,k_m) gives the first m elements of the keystream z₁=k₁,...,z_m=k_m, and the keystream just repeats itself from this point on. The encryption and decryption rules are simple: e_z(x)=x+z, d_z(y)=y-z.

(c) Stream ciphers are often defined with the plaintext, ciphertext, and keystream elements all being integers modulo 2 (bits). In this case

ez(x)=x+z mod 2, and dz(y)=y+z mod 2

so encryption and decryption are easy. If we think of 0 as `false' and 1 as `true' then addition mod 2 corresponds to the `exclusive-or' operation and can be implemented very efficiently in computer hardware.

(d) The case where the plaintext is a string of n integers mod 2, say x₁x₂... x_n, and also the key K=(k₁,k₂,...,k_n) is a string of the same length n of integers mod 2 is called the one-time pad. Here

eK(x1,x2,..., xn)=(x1+k1,x2+k2,...,xn+kn) mod 2, and

dK(y1,y2,..., yn)=(y1+k1,y2+k2,...,yn+kn) mod 2.

This was described and patented by Gilbert Vernam in 1917. It is an unconditionally secure cryptosystem (provided the key is kept secret), and is important in military and diplomatic contexts. However it has limited use commercially because of key management problems: the key which must be communicated securely has length equal to the message length. Historical efforts in cryptography have been to design cryptosystems where one key can be used for many messages while maintaining (at least) computational security.

There are many other interesting `classical' ciphers. An excellent account can be found in the Code Book by Simon Singh. This includes stories about many of the ciphers used during World War II. Many books on classical cryptography can be found in the library. More recently a cipher called Solitaire involving a pack of cards for both encryption and decryption was suggested in the novel `Cryptonomicon' by Neal Stephenson. This cipher was developed by Bruce Schneier and a description can be found

on the Counterpane Internet Security web site.

2.7  Cryptanalysis

The golden rule for designers of cryptosystems is never to underestimate the cryptanalyst.

Kerckhoff's Principle 1883: Assume that the cryptanalyst (opponent) knows the cryptosystem.

It would be unwise to design a cryptosystem without assuming Kerckhoff's Principle. The goal is to achieve security while observing it. There are different levels of attack on cryptosystems and the most common ones are listed in Table 2.5. The objectis always to determine the key K. The `chosen ciphertext attack' is in particular relevant to public-key cryptosystems, which we discuss later.

Consider the weakest type of attack, the `ciphertext only attack'. Assume that the plaintext is English or some other structured language. Then a frequency count will give good guesses for the commonly occurring letters: simply work out the frequency of commonly occurring letters in the ciphertext and compare these against the English frequency statistics, see Table 2.6, to guess what they stand for in the plaintext. The rest can be broken by the redundancy naturally present in English. (The data in Table 2.6is from Beker and Piper, p.397.)

From Table 2.6, the most commonly occurring letters in English are, in order, E T A O I N S R H ¼. Also the most common pairs are TH, HE, IN, ER, AN, RE ¼, and the most common triples are THE, AND, ING, ION. You have an opportunity to try this out in a simple way with the last question in the Exercise Set on Classical Ciphers.

2.8  Exercise Set: Classical Ciphers

1. Encrypt the following using a Shift Cipher with key K=4.

2. The following was encrypted using a Shift Cipher. Decrypt it. What was the key?

3. Show that the ciphertext of dog using an affine cipher with key K=(3,9) is YXT.

4. Decrypt the ciphertext YATJ if an affine cipher with key K=(11,2) was used for encryption.

5. Decrypt the ciphertext

6. Below are given three examples of ciphertext, each obtained from either a shift cipher or an affine cipher. In each case determine what type of cipher was used, and find the key. If you have the energy find the plaintext. I have left in the punctuation and spaces between words to make it easier. (With one of them, you may need to `decipher' it further after decryption.)

6A Y SYQR WYXRWJ AG DUXRWJ OJ AG AOXRWJ, OJ YHPWWP BOXR OD XRWA, UQ XRWG SWJW YH PEXG BOXR WCEUTTG BOEHP XO YX, RUP AYHPWP SRUX XRWG SWJW UBOEX SRWH XRWG BWKOX AW; RUP XRWG PETG IOHQYPWJ'P ROS AEIR PWVWHPWP EVOH SRUX XRWG SWJW XRWH POYHK;-XRUX HOX OHTG XRW VJOPEIXYOH OD U JUXYOHUT BWYHK SUQ IOHIWJHWP YH YX, BEX XRUX VOQQYBTG XRW RUVVG DOJAUXYOH UHP XWAVWJUXEJW OD RYQ BOPG, VWJRUVQ RYQ KWHYEQ UHP XRW LWJG IUQX OD RYQ AYHP;-UHP, DOJ UEKRX XRWG MHWS XO XRW IOHXJUJG, WLWH XRW DOJXEHWQ OD RYQ SROTW ROEQW AYKRX XUMW XRWYJ XEJH DJOA XRW REAOEJQ UHP PYQVOQYXYOHQ SRYIR SWJW XRWH EVVWJAOQX;-RUP XRWG PETG SWYKRWP UHP IOHQYPWJWP UTT XRYQ, UHP VJOIWWPWP UIIOJPYHKTG,-Y UA LWJYTG VWJQEUPWP Y QROETP RULW AUPW U CEYXW PYDDWJWHX DYKEJW YH XRW SOJTP, DJOA XRUX YH SRYIR XRW JWUPWJ YQ TYMWTG XO QWW AW.-BWTYWLW AW, KOOP DOTMQ, XRYQ YQ HOX QO YHIOHQYPWJUBTW U XRYHK UQ AUHG OD GOE AUG XRYHM YX;-GOE RULW UTT, Y PUJW QUG, RWUJP OD XRW UHYAUT QVYJYXQ, UQ ROS XRWG UJW XJUHQDEQWP DJOA DUXRWJ XO QOH, WXI. WXI.-UHP U KJWUX PWUT XO XRUX VEJVOQW:-SWTT, GOE AUG XUMW AG SOJP, XRUX HYHW VUJXQ YH XWH OD U AUH'Q QWHQW OJ RYQ HOHQWHQW, RYQ QEIIWQQWQ UHP AYQIUJJYUKWQ YH XRYQ SOJTP PWVWHP EVOH XRWYJ AOXYOHQ UHP UIXYLYXG, UHP XRW PYDDWJWHX XJUIMQ UHP XJUYHQ GOE VEX XRWA YHXO, QO XRUX SRWH XRWG UJW OHIW QWX U-KOYHK, SRWXRWJ JYKRX OJ SJOHK, 'XYQ HOX U RUTD- VWHHG AUXXWJ,-USUG XRWG KO ITEXXWJYHK TYMW RWG-KO AUP; UHP BG XJWUPYHK XRW QUAW QXWVQ OLWJ UHP OLWJ UKUYH, XRWG VJWQWHXTG AUMW U JOUP OD YX, UQ VTUYH UHP UQ QAOOXR UQ U KUJPWH-SUTM, SRYIR, SRWH XRWG UJW OHIW EQWP XO, XRW PWLYT RYAQWTD QOAWXYAWQ QRUTT HOX BW UBTW XO PJYLW XRWA ODD YX.

VJUG AG PWUJ, CEOXR AG AOXRWJ, RULW GOE HOX DOJKOX XO SYHP EV XRW ITOIM?- KOOP K..! IJYWP AG DUXRWJ, AUMYHK UH WZITUAUXYOH, BEX XUMYHK IUJW XO AOPWJUXW RYQ LOYIW UX XRW QUAW XYAW,-PYP WLWJ SOAUH, QYHIW XRW IJWUXYOH OD XRW SOJTP, YHXWJJEVX U AUH SYXR QEIR U QYTTG CEWQXYOH? VJUG, SRUX SUQ GOEJ DUXRWJ QUGYHK?-HOXRYHK.

6B XQNGPGNC

SYTU DGS GVNY NDU KQV --  
AUVNPC GNK NYQOD IWYMU DGS YVOU,  
IN DYSU, WDGKBUHGVA YX XGUPRK QVKYWV. 
IPWICK GN WYMU DGS, UTUV GV XHIVOU,   
QVNGP NDGK SYHVGVA IVR NDGK KVYW. 
GX IVCNDGVA SGADN HYQKU DGS VYW   
NDU MGVR YPR KQV WGPP MVYW.   

NDGVM DYW GN WIMUK NDU KUURK --   
WYMU, YVOU, NDU OPICK YX I OYPR KNIH. 
IHU PGSLK KY RUIH-IODGUTUR, IHU KGRUK 
XQPP-VUHTUR, -- KNGPP WIHS, -- NYY DIHR NY KNGH?  
WIK GN XYH NDGK NDU OPIC AHUW NIPP?   
-- Y WDIN SIRU XINQYQK KQVLUISK NYGP  
NY LHUIM UIHND'K KPUUB IN IPP?

6C GJJXKYY ZU G NGMMOY

LGOX LG' EUAX NUTKYZ, YUTYOK LGIK,  
MXKGZ INOKLZGOT U' ZNK VAJJOTM-XGIK! 
GHUUT ZNKS G' EKZ ZGQ EUAX VRGIK, 
VGOTIN, ZXOVK, UX ZNGOXS:  
CKKR GXK EK CUXJE U'G MXGIK 
GY RGTM'Y SE GXS.  
 
ZNK MXUGTOTM ZXKTINKX ZNKXK EK LORR, 
EUAX NAXJOKY ROQK G JOYZGTZ NORR, 
EUAX VOT CGY NKRV ZU SKTJ G SORR  
OT ZOSK U'TKKJ,  
CNORK ZNXU' EUAX VUXKY ZNK JKCY JOYZOR 
ROQK GSHKX HKGJ. 
 
NOY QTOLK YKK XAYZOI RGHUAX JOMNZ,  
GT' IAZ EUA AV CO' XKGJE YRKOMNZ, 
ZXKTINOTM EUAX MAYNOTM KTZXGORY HXOMNZ,  
ROQK UTE JOZIN;  
GTJ ZNKT, U CNGZ G MRUXOUAY YOMNZ,  
CGXS-XKKQOT', XOIN! 
 
ZNKT, NUXT LUX NUXT, ZNKE YZXKZIN GT' YZXOBK: 
JKOR ZGQ ZNK NOTJSUYZ! UT ZNKE JXOBK,  
ZORR G' ZNKOX CKKR-YCGRR'J QEZKY HKREBK  
GXK HKTZ ROQK JXASY;  
ZNKT GARJ MAOJSGT, SGOYZ ROQK ZU XOBK, 
HKZNGTQOZ! NASY. 
 
OY ZNKXK ZNGZ UCXK NOY LXKTIN XGMUAZ 
UX UROU ZNGZ CGJ YZGC G YUC,  
UX LXOIGYYKK CGJ SGQK NKX YVKC  
CO' VKXLKIZ YIUTTKX,  
RUUQY JUCT CO' YTKKXOTM, YIUXTLA' BOKC 
UT YOI G JOTTKX? 
 
VUUX JKBOR! YKK NOS UCXK NOY ZXGYN, 
GY LKIQRKY GY COZNKX'J XGYN,  
NOY YVOTJRK YNGTQ, G MAOJ CNOV-RGYN; 
NOY TOKBK G TOZ; 
ZNXU' HRUJE LRUUJ UX LOKRJ ZU JGYN, 
U NUC ATLOZ! 
 
HAZ SGXQ ZNK XAYZOI, NGMMOY-LKJ,  
ZNK ZXKSHROTM KGXZN XKYUATJY NOY ZXKGJ.  
IRGV OT NOY CGROK TOKBK G HRGJK,  
NK'RR SGQ OZ CNOYYRK; 
GT' RKMY GT' GXSY, GT' NGTJY CORR YTKJ,  
ROQK ZGVY U' ZXOYYRK. 
 
EK VUC'XY, CNG SGQ SGTQOTJ EUAX IGXK,  
GTJ JOYN ZNKS UAZ ZNKOX HORR U' LGXK,  
GARJ YIUZRGTJ CGTZY TGK YQOTQOTM CGXK  
ZNGZ PGAVY OT RAMMOKY;  
HAZ, OL EK COYN NKX MXGZKLA' VXGEKX 
MOK NKX G NGMMOY!

2.9  Exercise Solutions: Classical Ciphers

1.  PSKMGMWXLICSYXLSJQEXLIQEXMGW

2. Life is not a problem. It is a mystery to be unfurled. The key was K=3.

3.

Plaintext	x	eK(x)	Ciphertext
d	3	7·3+3=24 mod 26	Y
o	14	7·14+3=101 = 23 mod 26	X
g	6	7·6+3=45 = 19 mod 26	T

4. Since 11^-1=19 in Z₂₆, d_K(y)=19(y-2). We decrypt as in the table below and find the plaintext `cold'.

Ciphertext	y	dK(y)	Plaintext
Y	24	19(24-2)=418 = 2 mod 26	c
A	0	19( 0-2)=-38=14 mod 26	o
T	19	19(19-2)=323=11 mod 26	l
J	9	19( 9-2)=133 = 3 mod 26	d

5. The keyword `maths' corresponds to the sequence 12, 0, 19, 7, 18. We therefore decrypt as follows.

Ciphertext	U	W	T	U	L	F	P	T	Z	K	F	H	B	Z
y	20	22	19	20	11	5	15	19	25	10	5	7	1	25
keyword	12	0	19	7	18	12	0	19	7	18	12	0	19	7
dK(y)	8	22	0	13	19	19	15	0	18	18	19	7	8	18
Plaintext	i	w	a	n	t	t	p	a	s	s	t	h	i	s

M	Z	I	M
12	25	8	12
18	12	0	19
20	13	8	19
u	n	i	t

Plaintext: I want to pass this unit.

6A. This used an affine cipher e_K:x® ax+b with a=7, b=20 modulo 26. The plaintext is from the first chapter of Tristan Shandy by Lawrence Stern.

I wish either my father or my mother, or indeed both of them, as they were in duty both equally bound to it, had minded what they were about when they begot me; had they duly consider'd how much depended upon what they were then doing;-that not only the production of a rational Being was concerned in it, but that possibly the happy formation and temperature of his body, perhaps his genius and the very cast of his mind;-and, for aught they knew to the contrary, even the fortunes of his whole house might take their turn from the humours and dispositions which were then uppermost;-Had they duly weighed and considered all this, and proceeded accordingly,-I am verily persuaded I should have made a quite different figure in the world, from that in which the reader is likely to see me.-Believe me, good folks, this is not so inconsiderable a thing as many of you may think it;-you have all, I dare say, heard of the animal spirits, as how they are transfused from father to son, etc. etc.-and a great deal to that purpose:-Well, you may take my word, that nine parts in ten of a man's sense or his nonsense, his successes and miscarriages in this world depend upon their motions and activity, and the different tracks and trains you put them into, so that when they are once set a-going, whether right or wrong, 'tis not a half- penny matter,-away they go cluttering like hey-go mad; and by treading the same steps over and over again, they presently make a road of it, as plain and as smooth as a garden-walk, which, when they are once used to, the Devil himself sometimes shall not be able to drive them off it.

Pray my Dear, quoth my mother, have you not forgot to wind up the clock?- Good G..! cried my father, making an exclamation, but taking care to moderate his voice at the same time,-Did ever woman, since the creation of the world, interrupt a man with such a silly question? Pray, what was your father saying?-Nothing.

6B. This used an affine cipher e_K:x® ax+b with a=3, b=8 modulo 26. The plaintext is a poem by Wilfred Owen.

Futility

Move him into the sun --
Gently its touch awoke him once,
At home, whispering of fields unsown.
Always it woke him, even in France,
Until this morning and this snow.
If anything might rouse him now
The kind old sun will know.

Think how it wakes the seeds --
Woke, once, the clays of a cold star.
Are limbs so dear-achieved, are sides
Full-nerved, -- still warm, -- too hard to stir?
Was it for this the clay grew tall?
-- O what made fatuous sunbeams toil
To break earth's sleep at all?

6C. This used a shift cipher e_K:x® x+6. The plaintext is a poem by Robert Burns.

Address To A Haggis

Fair fa' your honest, sonsie face,
Great chieftain o' the pudding-race!
Aboon them a' yet tak your place,
Painch, tripe, or thairm:
Weel are ye wordy o'a grace
As lang's my arm.

The groaning trencher there ye fill,
Your hurdies like a distant hill,
Your pin was help to mend a mill
In time o'need,
While thro' your pores the dews distil
Like amber bead.

His knife see rustic Labour dight,
An' cut you up wi' ready sleight,
Trenching your gushing entrails bright,
Like ony ditch;
And then, O what a glorious sight,
Warm-reekin', rich!

Then, horn for horn, they stretch an' strive:
Deil tak the hindmost! on they drive,
Till a' their weel-swall'd kytes belyve
Are bent like drums;
Then auld Guidman, maist like to rive,
Bethankit! hums.

Is there that owre his French ragout
Or olio that wad staw a sow,
Or fricassee wad make her spew
Wi' perfect sconner,
Looks down wi' sneering, scornfu' view
On sic a dinner?

Poor devil! see him owre his trash,
As feckles as wither'd rash,
His spindle shank, a guid whip-lash;
His nieve a nit;
Thro' blody flood or field to dash,
O how unfit!

But mark the Rustic, haggis-fed,
The trembling earth resounds his tread.
Clap in his walie nieve a blade,
He'll mak it whissle;
An' legs an' arms, an' hands will sned,
Like taps o' trissle.

Ye Pow'rs, wha mak mankind your care,
And dish them out their bill o' fare,
Auld Scotland wants nae skinking ware
That jaups in luggies;
But, if ye wish her gratefu' prayer
Gie her a haggis!