COMMUNICATION TUF.ORV Ol- .SI-ICRFa Y SYSTEMS 683 



bit of message information. It is easily shown also, by the methods used in 

 MTC, that this is the best that can be done. 



Perfect secrecy systems have a place in the practical picture — they may be 

 used cither where the greatest importance is attached to comi)lete secrecy — 

 e.g., correspondence between the highest levels of command, or in cases 

 where the number of possible messages is small. Thus, to take an extreme 

 example, if only two messages "yes" or "no" were anticipated, a perfect 

 system would be in order, with perhaps the transformation table: 



M A' 



yes 

 no 



The disadvantage of perfect systems for large correspondence systems 

 is, of course, the equivalent amount of key that must be sent. In succeeding 

 sections we consider what can be achieved with smaller key size, in par- 

 ticular with fmite keys. 



11. Equivocation 



Let us suppose that a simple substitution cipher has been used on English 

 text and that we intercept a certain amount, iV letters, of the enciphered 

 text. For .V fairly large, more than say 50 letters, there is nearly always a 

 unique solution to the cipher; i.e., a single good English sequence which 

 transforms into the intercepted material by a simple substitution. With a 

 smaller N, however, the chance of more than one solution is greater; with 

 JV = 15 there will generally be quite a number of possible fragments of text 

 that would fit, while with N = 8 a good fraction (of the order of 1/8) of 

 all reasonable English sequences of that length are possible, since there is 

 seldom more than one repeated letter in the 8. With N = 1 any letter is 

 clearly possible and has the same a posteriori probability as its a priori 

 probability. For one letter the system is perfect. 



This happens generally with solvable ciphers. Before any material is 

 intercepted we can imagine the a priori probabilities attached to the vari- 

 ous possible messages, and also to the various keys. As material is inter- 

 cepted, the cryptanalyst calculates the a posteriori probabilities; and as .V 

 increases the probabilities of certain messages increase, and, of most, de- 

 crease, until finally only one is left, which has a probability nearly one, 

 while the total probability of all others is nearly zero. 



This calculation can actually be carried out for very simple systems. Table 

 I shows the a posteriori probabilities for a Caesar type cipher applied to 

 English text, with the key chosen at random from the 26 possibilities. To 

 enable the use of standard letter, digram and trigram frequenc}- tables, the 



