COMMUNICATION THEORY OF SECRECY SYSTEMS 685 



Trigram frequencies have also been tabulated and these are shown in the 

 column .V = 3. For four- and five-letter sequences probabilities were ob- 

 tained by multiplication from trigram frecjuencies since, roughly, 



piijkl) = p(ijk)pM. 



Note that at three letters the field has narrowed down to four messages 

 of fairly high probability, the others being small in comparison. At four 

 there are two possibilities and at five just one, the correct decipherment. 



In principle this could be carried out with any system but, unless the key 

 is very small, the number of possibilities is so large that the work involved 

 prohibits the actual calculation. 



This set of a posleriori probabilities describes how the cryptanalyst's 

 knowledge of the message and key gradually becomes more precise as 

 enciphered material is obtained. This description, however, is much too 

 involved and difficult to obtain for our purposes. What is desired is a sim- 

 plified description of this approach to uniqueness of the possible solutions. 



A similar situation arises in communication theory when a transmitted 

 signal is perturbed by noise. It is necessary to set up a suitable measure of 

 the uncertainty of what was actually transmitted knowing only the per- 

 turbed version given by the received signal. In MTC it was shown that a 

 natural mathematical measure of this uncertainty is the conditional en- 

 tropy of the transmitted signal when the received signal is known. This 

 conditional entropy was called, for convenience, the equivocation. 



From the point of view of the cryptanalyst, a secrecy system is almost 

 identical with a noisy communication system. The message (transmitted 

 signal) is operated on by a statistical element, the enciphering system, with 

 its statistically chosen key. The result of this operation is the cryptogram 

 (analogous to the perturbed signal) which is available for analysis. The 

 chief differences in the two cases are: first, that the operation of the en- 

 ciphering transformation is generally of a more complex nature than the 

 perturbing noise in a channel; and, second, the key for a secrecy system is 

 usually chosen from a finite set of possibilities while the noise in a channel 

 is more often continually introduced, in effect chosen from an infinite set. 



With these considerations in mind it is natural to use the equivocation 

 as a theoretical secrecy index. It may be noted that there are two signifi- 

 cant equivocations, that of the key and that of the message. These will be 

 denoted by Ue{K) and IIe(M) respectively. They are given by: 



He{K) = E PiE, K) log P^iK) 



E.K 



Ee{M) = Z P{E, M) log Pe{K) 



