COMMUNICAT/OX TIIF.ORV OF SECRECY SYSTEMS (u<) 



to R can be broken by reducing t<> ^ tlin)u,ii;li application of the operation A. 

 This is a device that is frequent 1\- used in practical cryptanalysis. 



As a trivial examjjle, simj)le substitution where the substitutes are not 

 letters but arbitrary symbols is similar to simple substitution using letter 

 substitutes. A second example is the Caesar and the reversed Caesar type 

 ciphers. The latter is sometimes broken by first transforming into a Caesar 

 t>'pe. This can be done by reversing the alphabet in the cryptogram. The 

 \igenere, Beaufort and Variant Beaufort are all similar, when the key is 

 random. The "autokey" cipher (with the message used as "key") primed 

 with the key Ki A'o • • • Kd is similar to a \'igenere type with the key alter- 

 nately added and subtracted Mod 26. The transformation .1 in this case is 

 that of "deciphering" the autokey with a series of d A's for the priming key. 



PART II 



THEORETICAL SECRECY 



9. Introduction 



We now consider problems connected with the "theoretical secrecy" of 

 a system. How immune is a system to cryptanalysis when the cryptanalyst 

 has unlimited time and manpower available for the analysis of crypto- 

 grams? Does a cryptogram have a unique solution (even though it may 

 require an impractical amount of work to find it) and if not how many rea- 

 sonable solutions does it have? How much text in a given system must be in- 

 tercepted before the solution becomes unique? Are there systems which never 

 become unique in solution no matter how much enciphered text is inter- 

 cepted? Are there systems for which no information whatever is given to 

 the enemy no matter how much text is intercepted? In the analysis of these 

 problems the concepts of entropy, redundancy and the like developed in 

 "A Mathematical Theory of Communication" (hereafter referred to as 

 MTC) will find a wide application. 



10. Perfect Secrecy 



Let us suppose the possible messages are finite in number M] , • • ■ , M„ 

 and have a priori probabilities P(Mi), ■ • ■, P(M„), and that these are en- 

 ciphered into the possible cryptograms Ei , •••,£,„ by 



E = TiM. 



The cryptanalyst intercepts a particular E and can then calculate, in 

 principle at least, the a posteriori probabilities for the various messages, 

 Pb{M). It is natural to define perjecl secrecy by the condition that, for all E 

 the a posteriori probabilities are equal to the a priori probabilities inde- 

 pendently of the values of these. In this case, intercepting the message has 



