664 BELL SYSTEM TECHNICAL JOURNAL 



is that the decipherer knows the particular key being used, while the crypt- 

 analyst knows only the a priori probabilities of the various keys in the set. 

 The process of deciphering is that of applying the inverse of the particular 

 transformation used in enciphering to the cryptogram. The process of crypt- 

 analysis is that of attempting to determine the message (or the particular 

 key) given only the cryptogram and the a priori probabilities of various 

 keys and messages. 



There are a number of difficult epistemological questions connected with 

 the theory of secrecy, or in fact with any theory which involves questions of 

 probability (particularly a priori probabilities, Bayes' theorem, etc.) when 

 applied to a physical situation. Treated abstractly, probability theory can 

 be put on a rigorous logical basis with the modern measure theory ap- 

 proach.^'^ As applied to a physical situation, however, especially when 

 "subjective" probabilities and unrepeatable experiments are concerned, 

 there are many questions of logical validity. For example, in the approach 

 to secrecy made here, a priori probabilities of various keys and messages 

 are assumed known by the enemy cryptographer — how can one determine 

 operationally if his estimates are correct, on the basis of his knowledge of the 

 situation? 



One can construct artificial cryptographic situations of the "urn and die" 

 type in which the a priori probabilities have a definite unambiguous meaning 

 and the idealization used here is certainly appropriate. In other situations 

 that one can imagine, for example an intercepted communication between 

 Martian invaders, the a priori probabilities would probably be so uncertain 

 as to be devoid of significance. Most practical cryptographic situations lie 

 somewhere between these limits. A cryptanalyst might be willing to classify 

 the possible messages into the categories "reasonable," "possible but un- 

 likely" and "unreasonable," but feel that finer subdivision was meaningless. 



Fortunately, in practical situations, only extreme errors in a priori prob- 

 abilities of keys and messages cause significant errors in the important 

 parameters. This is because of the exponential behavior of the number of 

 messages and cryptograms, and the logarithmic measures employed. 



3. Representation of Systems 



A secrecy system as defined above can be represented in various ways. 

 One which is convenient for illustrative purposes is a line diagram, as in 

 Figs. 2 and 4. The possible messages are represented by points at the left 

 and the possible cryptograms by points at the right. If a certain key, say key 

 1, transforms message M^ into cryptogram £4 then Mo and £4 are connected 



■• See J. L. Doob, "Probabilitv as Pleasure," Annals of Malli. Slat., v. 12, 1941, pp. 

 206-214. 



^ A. Kolmogoroff, "Grundbegriffe der Wahrscheinlichkeits rcchnung," Ergebnisse der 

 Mathematic, v. 2, No. 3 (Berlin 1933). 



