The theorem essentially says is that if a cipher is perfect, it must have this property.
It must be impractical in the sense that the number of possible keys
must be at least as big as the number of possible messages.
We saw for the one-time pad that they were equal.
We can always remove possible messages from the message set
so there's no problem with adding more keys.
The problem is we need to have at least as many keys as messages.
Let's prove this property.
We're going to prove it by contradiction.
We're going to start by assuming that we do have a perfect cipher
that does not satisfy this property.
Suppose we do have some perfect cipher--we'll call it "E"--
where the number of possible messages is greater than the number of possible keys.
There is some ciphertext--call it c0 element of the set of possible ciphertexts.
Let's assume that that ciphertext is possible.
We know that there must be such a cipher text.
There is some key that encrypts some message to c0.
The probability that a message and key get encrypted to this ciphertext is greater than 0.
We know that such a ciphertext must exist.
Now we have a our ciphertext c0.
Let's try decrypting that.
We'll decrypt it with all keys in the key space.
We haven't mentioned what the decryption function is.
For the one-time pad it's exactly the same as the encryption function.
For this we don't want to assume this. I could be any function.
We'll assume there is some function D that is our decryption function.
Since our cipher is correct--in order to be perfect it has to both be correct and perfectly secure.
That means the decryption function must have the property that if we decrypt
a message encrypted with the same key, we always get the same message out.
We don't need to know anything else about the decryption function than that.
We shouldn't assume anything, because all we're trying to do is show that
there is no possible choice for E that is both a correct encryption function and a perfect cipher.
Now what happens when we decrypt c0 with all possible keys?
Well, we're going to look at the set of messages that we can produce.
We'll call M0 the set of messages that we get by unioning over all possible keys
the result of decrypting the cipher text c0.
This models what an attacker would do.
They've intercepted some ciphertext. They're trying all possible keys.
This is what a brute-force attacker would do.
Looking at all the possible messages that can be produced.
Now I want you to think about which of these statements are true.
Check all the statements that must be true.
