710 BELL SYSTEM TECHNICAL JOURNAL 



and all the ft involve all the ki . The cryptographer must solve this system 

 simultaneously — a difficult job. In the simple (not confused) cases the func- 

 tions involve only a small number of the k^ — or at least some of these do. 

 One first solves the simpler equations, evaluating some of the ki and sub- 

 stitutes these in the more complicated equations. 



The conclusion here is that for a good ciphering system steps should be 

 taken either to diffuse or confuse the redundancy (or both). 



24. The Probable Word Method 



One of the most powerful tools for breaking ciphers is the use of probable 

 words. The probable words may be words or phrases expected in the par- 

 ticular message due to its source, or they may merely be common words or 

 syllables which occur in any text in the language, such as the, and, Hon, that, 

 and the like in English. 



In general, the probable word method is used as follows: Assuming a 

 probable word to be at some point in the clear, the key or a part of the key 

 is determined. This is used to decipher other parts of the cryptogram and 

 provide a consistency test. If the other parts come out in the clear, the 

 assumption is justified. 



There are few of the classical type ciphers that use a small key and can 

 resist long under a probable word analysis. From a consideration of this 

 method we can frame a test of ciphers which might be called the acid test. 

 It applies only to ciphers with a small key (less than, say, 50 decimal digits), 

 applied to natural languages, and not using the ideal method of gaining se- 

 crecy. The acid test is this: How difficult is it to determine the key or a part 

 of the key knowing a small sample of message and corresponding crypto- 

 gram? Any system in which this is easy cannot be very resistant, for the 

 cryptanalyst can always make use of probable words, combined with trial 

 and error, until a consistent solution is obtained. 



The conditions on the size of the key make the amount of trial and error 

 small, and the condition about ideal systems is necessary, since these auto- 

 matically give consistency checks. The existence of probable words and 

 phrases is implied by the assumption of natural languages. 



Note that the requirement of difficult solution under these conditions is 

 not, by itself, contradictory to the requirements that enciphering and 

 deciphering be simple processes. Using functional notation we have for 

 enciphering 



E = f{K, M) 



and for deciphering 



M = g(K, E). 



