A

cryptosystem is said to exhibit

**perfect secrecy** if, for any observed

ciphertext *y*, the

a posteriori probability of any

plaintext *x* is equal to the

a priori probability of that plaintext. That is, observing the ciphertext does not give an attacker any information whatsoever about the plaintext; for any ciphertext

*y*, the probability that the plaintext being encrypted was some

*x* is the same as it would be for any other ciphertext

*y'*.

Perfect secrecy is a very desirable property of a cryptosystem; it is also impossible to achieve in practice, or impossible to prove for most cryptosystems. A cipher that achieves perfect secrecy is the one time pad, which suffers from two important limitations:

- The key length must be greater or equal to the message length.
- Each key may be used at most once.

However, other (weaker) properties of cryptosystems are sufficient in practice, are provable, and are exhibited by systems that do not suffer from the limitations of the one time pad. An example is semantic security.

(Part of the Everything2 Crypto Project)