658 BELL SYSTEM TECHNICAL JOURNAL 



can substitute for 26 different letters. These are all equally likely and each 

 therefore has an a priori probability 1/26!. If this is applied to "normal 

 English" the cryptanalyst being assumed to have no knowledge of the 

 message source other than that it is producing English text, the a priori 

 probabilities of various messages of .V letters are merely their relative 

 frequencies in normal English text. 



If the enemy intercepts N letters of cryptogram in this system his prob- 

 abilities change. If N is large enough (say 50 letters) there is usually a single 

 message of a posteriori probability nearly unity, while all others have a total 

 probability nearly zero. Thus there is an essentially unique "solution" to 

 the cryptogram. For .V smaller (say X = 15) there will usually be many 

 messages and keys of comparable probability, with no single one nearly 

 unity. In this case there are multiple "solutions" to the cryptogram. 



Considering a secrecy system to be represented in this way, as a set of 

 transformations of one set of elements into another, there are two natural 

 combining operations which produce a third system from two given systems. 

 The hrst combining operation is called the product operation and cor- 

 responds to enciphering the message with the first secrecy system R and 

 enciphering the resulting cryptogram with the second system S, the keys for 

 R and 5 being chosen independently. This total operation is a secrecy 

 system whose transformations consist of all the products (in the usual sense 

 of products of transformations) of transformations in S with transformations 

 in R. The probabilities are the products of the probabilities for the two 

 transformations . 



The second combining operation is "weighted addition." 



T = pR+ qS /' + (/=! 



It corresponds to making a preliminary choice as to whether system R or 

 S is to be used with probabilities p and q, respectively. When this is done 

 i? or 5 is used as originally defined. 



It is shown that secrecy systems with these two combining operations 

 form essentially a "linear associative algebra" with a unit element, an 

 algebraic variety that has been extensively studied by mathematicians. 



Among the many possible secrecy systems there is one type with many 

 special properties. This type we call a "pure" system. A system is pure if 

 all keys are equally likely and if for any three transformations T,, Tj, Ti-, 

 in the set the product 



T.Tr'Tk 



is also a transformation in the set. That is enciphering, deciphering, and 

 enciphering with any three keys must be equivalent to enciphering with 

 some key. 



