COMMUNICATION THEORY Oh SECRECY SYSTEMS 659 



With a pure riphcr il is shown that aU keys arc essentially efiuivalent— 

 tliey all lead to the same set of a posteriori probabilities. l''urthermore, when 

 a ^'iven cryptogram is intercepted there is a set of messages that might have 

 produced this cryptogram (a "residue class") and the a posteriori prob- 

 abilities of messages in this class are proportional to the a priori proliabilities. 

 All the information the enemy has obtained by intercepting the cryptogram 

 is a specification of the residue class. Many of the common ciphers are pure 

 systems, including simple substitution with random key. In this case the 

 residue class consists of all messages with the same pattern of letter repeti- 

 tions as the intercepted cryptogram. 



Two systems R and 5 are defined to be "similar" if tliere exists a fixed 

 transformation A with an inverse, /1~', such that 



R = AS. 



If R and S are similar, a one-to-one correspondence between the resulting 

 cryptograms can be set up leading to the same a posteriori probabilities. 

 The two systems are crypt analytically the same. 



The second part of the paper deals with the problem of "theoretical 

 secrecy." How secure is a system against cryptanalysis when the enemy has 

 unlimited time and manpower available for the analysis of intercepted 

 cryptograms? The problem is closely related to questions of communication 

 in the presence of noise, and the concepts of entropy and equivocation 

 developed for the communication problem find a direct application in this 

 ]iart of cryptography. 



"Perfect Secrecy" is defined by requiring of a system that after a crypto- 

 gram is intercepted by the enemy the a posteriori probabilities of this crypto- 

 gram representing various messages be identically the same as the a priori 

 probabilities of the same messages before the interception. It is shown that 

 perfect secrecy is possible but requires, if the number of messages is hnite, 

 the same number of possible keys. If the message is thought of as being 

 constantly generated at a given "rate" R (to be defined later), key must be 

 generated at the same or a greater rate. 



If a secrecy system with a finite key is used, and X letters of cryptogram 

 intercepted, there will be, for the enemy, a certain set of messages with 

 certain probabilities, that this cryptogram could represent. As A' increases 

 the field usually narrows down until eventually there is a unique "solution" 

 to the cryptogram; one message with probability essentially unity while all 

 others are practically zero. A quantity //(A^) is defined, called the equivoca- 

 tion, which measures in a statistical way how near the average cryptogram 

 of N letters is to a unique solution; that is, how uncertain the enemy is of the 

 original message after intercepting a cryptogram of A' letters. \'arious 

 properties of the equivocation are deduced— for example, the equivocation 



