Hill Cipher

Encode and decode the Hill cipher, the classical polygraphic cipher built on linear algebra. Letters are grouped into blocks, turned into number vectors, and multiplied by a key matrix modulo 26: encryption is C = K·P, decryption is P = K⁻¹·C. Choose a 2×2 or 3×3 key, watch the live matrix, its determinant, and its modular inverse, and follow the block-by-block working. Everything runs in your browser.

Key matrix

Key (letters)

The key is 4 letters (A=0 … Z=25) filling the matrix row by row. A 2×2 key enciphers letters in pairs (digraphs).

Plain text

Cipher text

Enter text above to see the result here.

Key matrix

Each block of letters becomes a vector (A=0 … Z=25) and is multiplied by the key matrix modulo 26. A key works only when its determinant is invertible mod 26.

C = K · P (mod 26)

Enter exactly 4 letters (A–Z) to fill the key matrix.

How to use Hill Cipher

1
Choose encode or decode and a matrix size
Select Encode to encrypt or Decode to decrypt, then pick a 2×2 key (letters in pairs) or a 3×3 key (letters in triples).
2
Enter the key as letters
Type the key letters that fill the matrix row by row — four letters for a 2×2 key, nine for a 3×3. The live matrix shows the determinant and tells you whether the key is invertible mod 26.
3
Type or paste your text
Enter your message and it is converted as you type. The working panel shows each block as a vector, the matrix multiplication, and the resulting block.
4
Check the key matrix and inverse
Open the key-matrix panel to see the key, its determinant, and — when the key is valid — the modular inverse matrix used for decoding.

5
Copy, download, or share
Copy the result, download it as a text file, or share a link that reopens the tool with your exact text, key, size, and direction ready to go.

Understanding the Hill Cipher

What is the Hill cipher?

The Hill cipher is a classical polygraphic substitution cipher invented by the American mathematician Lester S. Hill in 1929. Instead of replacing one letter at a time, it enciphers a whole block of letters together by treating the block as a vector of numbers and multiplying it by a secret key matrix, modulo 26. It was the first practical cipher able to operate on more than three symbols at once, and it brought linear algebra squarely into cryptography.

Because each output letter depends on every input letter in its block, the Hill cipher hides the single-letter frequencies that betray simpler ciphers. A 2×2 key mixes letters in pairs, a 3×3 key mixes them in triples, and larger matrices mix even bigger blocks. That diffusion is the same idea that underlies modern block ciphers, which makes the Hill cipher a favourite teaching example — even though, as a linear cipher, it is easy to break with a little known plaintext.

How the Hill cipher works

First, turn letters into numbers with A=0, B=1, up to Z=25. The key is an n×n matrix of such numbers; here you type it as a run of letters that fills the matrix row by row, so a 2×2 key needs four letters and a 3×3 key needs nine. The plaintext is split into blocks of n letters, each written as a column vector.

To encrypt a block P, compute C = K · P (mod 26): multiply the key matrix by the vector and reduce every entry modulo 26, then read the numbers back as letters. To decrypt, you need the modular inverse of the key matrix, K⁻¹, and compute P = K⁻¹ · C (mod 26). The inverse exists only when the matrix determinant is invertible modulo 26 — that is, when it shares no common factor with 26 — which is the single most important rule when choosing a key.

Choosing a valid key matrix

Not every matrix can be a Hill key. For decryption to work, the determinant of the key, taken modulo 26, must be coprime with 26. Since 26 = 2 × 13, the determinant must be odd and not a multiple of 13; the allowed values are the twelve numbers 1, 3, 5, 7, 9, 11, 15, 17, 19, 21, 23, 25. If the determinant is even or equals 13, no modular inverse exists and the ciphertext cannot be uniquely decoded.

The tool computes the determinant for you and shows a green badge when the key is invertible or a red one when it is not, alongside the inverse matrix it will use for decoding. If a key is rejected, change a letter or two and watch the determinant update until it lands on a valid value. This live feedback turns the otherwise fiddly job of hand-picking a Hill key into a quick, visual exercise.

A worked 2×2 example

Take the key DDCF, which fills the 2×2 matrix with the numbers 3, 3 on the top row and 2, 5 on the bottom row. Its determinant is 3×5 − 3×2 = 9, and because 9 is coprime with 26 the key is valid. Now encrypt HELP. The first block HE is the vector (7, 4): multiplying gives (3×7 + 3×4, 2×7 + 5×4) = (33, 34), which reduces mod 26 to (7, 8) = HI.

The second block LP is (11, 15), giving (3×11 + 3×15, 2×11 + 5×15) = (78, 97) = (0, 19) = AT. So HELP encrypts to HIAT. To decrypt, the tool inverts the key to (15, 17 / 20, 9) and multiplies each cipher block by it, recovering HELP. Type DDCF as the key above to watch every step appear in the live working panel.

A worked 3×3 example

The classic 3×3 example uses the key GYBNQKURP, which fills the matrix with 6, 24, 1 on the first row, 13, 16, 10 on the second, and 20, 17, 15 on the third. Encrypting the trigraph ACT — the vector (0, 2, 19) — gives (67, 222, 319) before reduction, which becomes (15, 14, 7) modulo 26, or POH.

The determinant of this matrix is 25 modulo 26, which is coprime with 26, so it is a valid key, and its modular inverse is the matrix (8, 5, 10 / 21, 8, 21 / 21, 12, 8). Multiplying the cipher block POH by that inverse returns ACT. Switch the size selector to 3×3 and enter GYBNQKURP to reproduce this textbook example and see the inverse matrix the tool derives.

Padding, letters, and formatting

The Hill cipher only knows the 26 letters A–Z, so spaces, digits, and punctuation are stripped before encryption and do not return when you decrypt. Because the message is processed in fixed blocks, a plaintext whose length is not a multiple of the block size is padded with the letter X to complete the final block; a decrypted message may therefore end in one or two extra letters.

Letter case is not preserved — everything is treated as uppercase. These limitations are inherent to the classical cipher rather than to this tool, and they are part of why the Hill cipher, like its contemporaries, was used for short tactical messages rather than free-flowing text. The live breakdown shows exactly how your text is grouped and padded into blocks.

Security and cryptanalysis

The Hill cipher's strength is also its fatal weakness: it is linear. Each cipher block is a fixed linear function of the plaintext block, so an attacker who learns enough plaintext–ciphertext block pairs can set up and solve a system of linear equations to recover the key matrix directly. For an n×n key, roughly n known blocks are usually enough, which makes the cipher fall quickly to a known-plaintext attack.

It also offers no diffusion between blocks and no confusion beyond the linear mix, so identical plaintext blocks always encrypt to identical cipher blocks. By modern standards it is not secure, and you should never use it to protect real information — reach for a vetted algorithm such as AES instead. As a clear, hands-on illustration of how matrices, modular arithmetic, and block encryption fit together, though, the Hill cipher remains one of the best classical ciphers to learn.

Frequently asked questions

What is the Hill cipher?

The Hill cipher is a classical polygraphic substitution cipher created by Lester S. Hill in 1929. It enciphers letters in blocks by turning each block into a vector of numbers and multiplying it by a secret key matrix modulo 26. Because every output letter depends on the whole block, it hides single-letter frequencies and was the first cipher to apply linear algebra to encryption in a practical way.

How does the Hill cipher work?

Letters become numbers (A=0 … Z=25). The plaintext is split into blocks of n letters, each written as a vector, and encrypted with C = K·P (mod 26) using an n×n key matrix K. Decryption uses the modular inverse of the key: P = K⁻¹·C (mod 26). A 2×2 key works on pairs of letters and a 3×3 key on triples.

How do I choose a valid Hill cipher key?

The key matrix is decryptable only when its determinant, taken modulo 26, is coprime with 26. Because 26 = 2 × 13, the determinant must be odd and not a multiple of 13 — one of 1, 3, 5, 7, 9, 11, 15, 17, 19, 21, 23, or 25. This tool shows the determinant live and marks the key invertible or not, so you can adjust the letters until it is valid.

Can you show a worked Hill cipher example?

With the 2×2 key DDCF (rows 3,3 and 2,5, determinant 9) the word HELP encrypts to HIAT: HE = (7,4) maps to (7,8) = HI, and LP = (11,15) maps to (0,19) = AT. With the 3×3 key GYBNQKURP the trigraph ACT encrypts to POH. Enter either key above to watch every block and the matrix multiplication appear step by step.

How do you decode a Hill cipher?

Decoding multiplies each cipher block by the modular inverse of the key matrix, P = K⁻¹·C (mod 26). In this tool, choose Decode, set the same matrix size, and enter the same key used to encrypt; it computes the inverse and rebuilds the plaintext. The key must be invertible mod 26, or no inverse — and so no unique decoding — exists.

What is the difference between a 2×2 and a 3×3 Hill cipher?

The matrix size sets the block length. A 2×2 key enciphers letters two at a time and needs a four-letter key; a 3×3 key enciphers them three at a time and needs a nine-letter key. Larger matrices mix more letters per block and resist frequency analysis a little better, but they are harder to set up and still fall to a known-plaintext attack.

Why does my key say it is not invertible?

A Hill key can decode only if the determinant of its matrix is coprime with 26. If the determinant is even or a multiple of 13, the matrix has no inverse modulo 26 and the ciphertext cannot be uniquely decoded. Change one or two letters of the key and watch the determinant update until the tool marks the key invertible.

What happens to spaces, numbers, and punctuation?

Only A–Z letters exist in the Hill cipher, so spaces, digits, and punctuation are removed before encryption and do not reappear when you decode. If the message length is not a multiple of the block size, it is padded with the letter X to fill the last block, so a decrypted message may end in one or two extra letters.

Is the Hill cipher secure?

No. The Hill cipher is linear, so an attacker who obtains enough plaintext–ciphertext block pairs can solve a system of linear equations and recover the key matrix. For an n×n key, around n known blocks usually suffice. It is excellent for learning how matrices and modular arithmetic build a block cipher, but for real protection you should always use a modern algorithm such as AES.

Who invented the Hill cipher?

The Hill cipher was invented by Lester S. Hill, an American mathematician, and published in 1929 in the journal The American Mathematical Monthly. It was notable for being the first cipher able to encrypt blocks of more than three letters at a practical scale, and it introduced matrix algebra and modular arithmetic as encryption tools — ideas that echo in modern block cipher design.

What is the modular inverse of a matrix?

It is the matrix that, multiplied by the key modulo 26, gives the identity matrix. For a 2×2 or 3×3 key it is found by multiplying the adjugate (the transposed cofactor matrix) by the modular inverse of the determinant. The Hill cipher uses it to undo encryption, and this tool displays the inverse it computes whenever the key is valid.

Is my text uploaded to a server?

No. All encoding and decoding happens entirely in your browser, so your text and key are never uploaded, logged, or stored. Even a share link keeps your text and key in the part of the URL after the hash, which browsers never send to a server, so your message stays private until you choose to share the link.

Related tools

Keep going with these handy tools

Four-Square Cipher

Two-Square Cipher

Caesar Cipher

Vigenère Cipher

Atbash Cipher

Rail Fence Cipher