COMMUNICATION THEORY OF SECRECY SYSTEMS )05 



22. Generalities on the Solution of Cryptograms 



After the unicity distance has been exceeded in intercepted material, 

 any system can be solved in principle by merely trying each possible key 

 until the unique solution is obtained — i.e., a deciphered message which 

 "makes sense" in the original language. A simple calculation shows that this 

 method of solution (which we may call complete trial and error) is totally 

 impractical except when the key is absurdly small. 



Suppose, for example, we have a key of 26! possibilities or about 26.3 

 decimal digits, the same size as in simple substitution on English. This is, 

 by any significant measure, a small key. It can be written on a small slip of 

 paper, or memorized in a few minutes. It could be registered on 27 switches, 

 each having ten positions, or on 88 two-position switches. 



Suppose further, to give the cryptanalyst every possible advantage, that 

 he constructs an electronic device to try keys at the rate of one each micro- 

 second (perhaps automatically selecting from the results by a x" test for 

 statistical significance). He may expect to reach the right key about half 

 way through, and after an elapsed time of about 2 X 1026/2 X 60^ X 24 X 

 365 X 106 or 3 X lO^^ years. 



In other words, even with a small key complete trial and error will never 

 be used in solving cryptograms, except in the trivial case where the key is 

 extremely small, e.g., the Caesar with only 26 possibilities, or 1.4 digits. 

 The trial and error which is used so commonly in cryptography is of a 

 different sort, or is augmented by other means. If one had a secrecy system 

 which required complete trial and error it would be extremely safe. Such a 

 system would result, it appears, if the meaningful original messages, all say 

 of 1000 letters, were a random selection from the set of all sequences of 1000 

 letters. If any of the simple ciphers were applied to this type of language it 

 seems that little improvement over complete trial and error would be 

 possible. 



The methods of cryptanalysis actually used often involve a great deal of 

 trial and error, but in a different way. First, the trials progress from more 

 probable to less probable hypotheses, and, second, each trial disposes of a 

 large group of keys, not a single one. Thus the key space may be divided 

 into say 10 subsets, each containing about the same number of keys. By at 

 most 10 trials one determines which subset is the correct one. This subset is 

 then divided into several secondary subsets and the process repeated. With 

 the same key size (26! = 2 X lO-^) we would expect about 26 X 5 or 130 

 trials as compared to lO^" by complete trial and error. The possibility of 

 choosing the most likely of the subsets first for test would improve this result 

 even more. If the divisions were into two compartments (the best way to 



