662 BELL SYSTEM TECHNICAL JOURNAL 



the relative frequencies of occurrence of these sequences in normal English 

 text. 



At the receiving end it must be possible to recover M, knowing E and K. 

 Thus the transformations Tt in the family must have unique inverses 

 Ti such that r,T7 = /, the identity transformation. Thus: 



M = TTE. 



At any rate this inverse must exist uniquely for every E which can be 

 obtained from an M with key i. Hence we arrive at the definition: A secrecy 

 system is a family of uniquely reversible transformations Ti of a set of 

 possible mssages into a set of cryptograms, the transformation Ti having 

 an associated probability pi. Conversely any set of entities of this type will 

 be called a "secrecy system." The set of possible messages will be called, 

 for convenience, the "message space" and the set of possible cryptograms 

 the "cryptogram space." 



Two secrecy systems will be the same if they consist of the same set of 

 transformations Ti , with the same message and cryptogram space (range 

 and domain) and the same probabilities for the keys. 



A secrecy system can be visualized mechanically as a machine with one 

 or more controls on it. A sequence of letters, the message, is fed into the 

 input of the machine and a second series emerges at the output. The par- 

 ticular setting of the controls corresponds to the particular key being used. 

 Some statistical method must be prescribed for choosing the key from all 

 the possible ones. 



To make the problem mathematically tractable we shall assume that 

 the enemy knows the system being used. That is, he knows the family of trans- 

 formations Ti , and the probabilities of choosing various keys. It might be 

 objected that this assumption is unrealistic, in that the cryptanalyst often 

 does not know what system was used or the probabilities in question. There 

 are two answers to this objection: 



1. The restriction is much weaker than appears at first, due to our broad 

 definition of what constitutes a secrecy system. Suppose a cryptog- 

 rapher intercepts a message and does not know whether a substitution, 

 transposition, or Vigenere type cipher was used. He can consider the 

 message as being enciphered by a system in which part of the key is the 

 specification of which of these types was used, the next part being the 

 particular key for that type. These three different possibilities are 

 assigned probabilities according to his best estimates of the a priori 

 probabilities of the encipherer using the respective types of cipher. 



2. The assumption is actually the one ordinarily used in cryptographic 

 studies. It is pessimistic and hence safe, but in the long run realistic, 

 since one must expect his system to be found out eventually. Thus, 



