We showed earlier that this was 1/K--1 over the size of K.
Now we've shown that the probability of M equals M is equal to the probability
the message is M divided by the K.
We've shown these two things.
Now we just need to plug them into our conditional probability formula.
We're going to have this on top, and we're going to divide that by the probability of B,
which is 1 over K.
The "over Ks" will cancel out, leaving us with the probability
that the message is equal to M.
That's exactly our definition of a perfect cipher.
We can conclude that the one-time pad is a perfect cipher.
It exactly satisfies the definition of a perfect cipher
where the cipher text reveals nothing at all about the key.
You might think the class should be over.
We've achieved our goal of perfect secrecy using a cipher
that was invented over 100 years ago and is actually provably perfectly secret.
We're not going quite done yet.
There are some pretty serious problems with the one-time pad.
One problem is that it's malleable.
What malleable means is if Alice sends her ciphertext to Bob,
and our evil interceptor--this times it's not just an eavesdropped,
it's an eavesdropper with a hammer.
If our interceptor has control over the network,
and instead of just being an eavesdropper can be an active attacker.
An active attacker means they can actually change messages on the network.
The message that arrives at Bob is not C. It's C'.
Because at the perfect cipher, the attacker can't learn anything new about the message
from C, but she could modify it.
Maybe she had a pretty good guess.
Maybe there was a number in the message somewhere
or something that she wanted to change.
Well, she could flip the bits at that part of the message,
change the ciphertext that Bob receives to C.
It would decrypt, and with the one-time pad encryption and decryption are the same function.
The decryption of C' would be M'.
The attacker can actually control the difference between M and M',
because the way the one-time pad works is just XOR.
The attacker could decide whatever difference she wants to introduce in the message.
This is a dangerous property for a cipher to have.
Another big problem with the one-time pad is that it's very impractical.
The real reason that it's impractical is because the keys have to be
as long as the messages, and we can never reuse the key.
The is this property that the number of possible keys
is equal to the number of possible messages.
Maybe what we should try to do is to find a more practical perfect cipher.
Unfortunately, Claude Shannon proved that that's not possible.
That's what we're going to look at next is why this property that the key space
has to be at least as big as the message space i
s a requirement for a cipher being perfect.
