Shannon’s perfect secrecy is a theoretical ideal where the ciphertext reveals absolutely no information about the plaintext, not even the existence of a message.
Let’s see how this plays out in practice, or rather, how it doesn’t play out in practice for most of us. Imagine Alice wants to send a secret message to Bob. She has a message M (plaintext) and a key K. She combines them using an encryption function E to get ciphertext C: C = E(M, K). For perfect secrecy, the ciphertext C should be statistically independent of the plaintext M, regardless of what K is. This means if you see C, you can’t guess M any better than if you just randomly picked a message.
The only way to achieve this is with the One-Time Pad (OTP). Here’s a simplified example. Let’s say our "plaintext" is just a single letter. We’ll represent letters as numbers: A=0, B=1, …, Z=25. Our key will also be numbers from 0 to 25.
Plaintext (M): 'C' (which is 2)
Key (K): 'E' (which is 4)
Encryption: C = (M + K) mod 26
Ciphertext (C): (2 + 4) mod 26 = 6
Now, let's look at the ciphertext '6'. What could the plaintext have been?
If K was 0: M = (6 - 0) mod 26 = 6 ('G')
If K was 1: M = (6 - 1) mod 26 = 5 ('F')
If K was 2: M = (6 - 2) mod 26 = 4 ('E')
If K was 3: M = (6 - 3) mod 26 = 3 ('D')
If K was 4: M = (6 - 4) mod 26 = 2 ('C')
If K was 5: M = (6 - 5) mod 26 = 1 ('B')
If K was 6: M = (6 - 6) mod 26 = 0 ('A')
...and so on.
For *every* possible plaintext character, there is exactly one key that could have produced the ciphertext '6'.
This is the core idea: for every possible plaintext, and for every possible ciphertext, there’s a unique key that maps that plaintext to that ciphertext. This is called a "one-to-one mapping."
The mental model for perfect secrecy is that the key space (all possible keys) must be at least as large as the message space (all possible messages), and the key must be truly random and used only once.
Here’s the critical part: the key must be as long as the message. If Alice wants to send "HELLO" (5 characters) to Bob, she needs a 5-character random key.
Plaintext (M): HELLO
Key (K): XWZQD
Let's use numbers: H=7, E=4, L=11, L=11, O=14
Key: X=23, W=22, Z=25, Q=16, D=3
Encryption (addition modulo 26):
H (7) + X (23) = 30 mod 26 = 4 (E)
E (4) + W (22) = 26 mod 26 = 0 (A)
L (11) + Z (25) = 36 mod 26 = 10 (K)
L (11) + Q (16) = 27 mod 26 = 1 (B)
O (14) + D (3) = 17 mod 26 = 17 (R)
Ciphertext (C): EAKBR
Now, if an eavesdropper sees "EAKBR", can they decrypt it? No, not without the key "XWZQD". If they try a different key, say "ABCDE":
Ciphertext (C): EAKBR
Test Key (K'): ABCDE
Decryption (subtraction modulo 26):
E (4) - A (0) = 4 (E)
A (0) - B (1) = -1 mod 26 = 25 (Z)
K (10) - C (2) = 8 (I)
B (1) - D (3) = -2 mod 26 = 24 (Y)
R (17) - E (4) = 13 (N)
Decrypted text: EZIYN - clearly not HELLO.
This demonstrates that without the correct random key, the ciphertext offers no clue to the original plaintext. The security comes from the fact that for any given ciphertext, every possible plaintext is equally likely if you don’t know the key.
The one thing most people don’t grasp is that "perfect secrecy" doesn’t prevent an attacker from knowing that a message was sent, or from performing traffic analysis. If Alice sends a 1000-page document encrypted with a 1000-page key, and then immediately receives a reply, an attacker knows a long message was exchanged. They just don’t know the content.
The practical limitation is key distribution. How do Alice and Bob securely exchange these massive, random keys before they can even send their first secret message? This is why perfect secrecy, while theoretically uncrackable, is almost never used in practice for general communication.
The next logical step after understanding perfect secrecy is exploring why it’s impractical and how modern cryptography achieves computational security instead.