704 BELL SYSTEM TECHNICAL JOURNAL 



much better (i.e., much higher) work characteristic. A good practical 

 secrecy system is one in which the W{N) curve remains sufficiently high, 

 out to the number of letters one expects to transmit with the key, to prevent 

 the enemy from actually carrying out the solution, or to delay it to such an 

 extent that the information is then obsolete. 



We will consider in the following sections ways of keeping the function 

 W{N) large, even though He{K) may be practically zero. This is essentially 

 a "max min" type of problem as is always the case when we have a battle 

 of wits.^^ In designing a good cipher we must maximize the minimum amount 

 of work the enemy must do to break it. It is not enough merely to be sure 

 none of the standard methods of cryptanalysis work — we must be sure that 

 no method whatever will break the system easily. This, in fact, has been the 

 weakness of many systems; designed to resist all the known methods of 

 solution, they later gave rise to new cryptanalytic techniques which rendered 

 them vulnerable to analysis. 



The problem of good cipher design is essentially one of finding difficult 

 problems, subject to certain other conditions. This is a rather unusual situa- 

 tion, since one is ordinarily seeking the simple and easily soluble problems 

 in a field. 



How can we ever be sure that a system which is not ideal and therefore 

 has a unique solution for sufficiently large N will require a large amount of 

 work to break with every method of analysis? There are two approaches to 

 this problem; (1) We can study the possible methods of solution available to 

 the cryptanalyst and attempt to describe them in sufficiently general terms 

 to cover any methods he might use. We then construct our system to resist 

 this "general" method of solution. (2) We may construct our cipher in such 

 a way that breaking it is equivalent to (or requires at some point in the 

 process) the solution of some problem known to be laborious. Thus, if we 

 could show that solving a certain system requires at least as much work as 

 solving a system of simultaneous equations in a large number of unknowns, 

 of a complex type, then we would have a lower bound of sorts for the work 

 characteristic. 



The next three sections are aimed at these general problems. It is difficult 

 to define the pertinent ideas involved with sufficient precision to obtain 

 results in the form of mathematical theorems, but it is believed that the 

 conclusions, in the form of general principles, are correct. 



" See von Neumann and Morgenstern, loc. cil. The situation between the cipher de- 

 signer and crj'ptanalyst can be thought of as a "game" of a very simple structure; a zero- 

 sum two-person game with complete information, and just two "moves." The cipher 

 designer chooses a system for his "move." Then the cryptanalyst is informed of this 

 choice and chooses a method of analysis. The "value" of the play is the average work re- 

 quired to break a cryptogram in the system by the method chosen. 



