Shannon's fundamental bound for perfect secrecy says that the source entropy cannot be larger than the entropy of the secret key initially shared by the sender and the legitimate receiver. Massey gave an information theoretic proof of this result, and his proof does not require independence of the key and the source message. By further assuming independence, some stronger results, which govern the probability distributions of the key and the ciphertext, can be shown. These results illustrate that the key entropy is not less than the logarithm of the message sample size in any cipher achieving perfect secrecy, even if the source distribution is fixed. The same bound also applies to the entropy of the ciphertext. These results still hold if the source message has been compressed before encryption.
The above observation leads to different research problems studied in this chapter. When the source distribution is non-uniform, the entropy of the key is required to be strictly greater than the source entropy, and hence some randomness in the key is wasted. To deal with this problem, this chapter investigates cipher systems that contain residual secret randomness after they are used. A collection of such systems can be used to generate a new secret key. The aforementioned entropy bound only gives the minimum size of the pre-shared secret key. A new measure for key consumption, i.e., the entropy difference between the pre-shared secret key and the newly generated key, is proposed and justified in this chapter. Key consumption is shown to be bounded below by the source entropy, and the lower bound can be achieved by the codes proposed in this chapter. Furthermore, the existence of a fundamental tradeoff between the expected key consumption and the number of channel uses for conveying a ciphertext is shown.
Cipher systems with perfect secrecy were studied by Shannon in his seminal paper  (see also ). With reference to Fig. 2.1, a cipher system is defined by three components: a source message U, a ciphertext X, and a key R. Here, R is the collection of secret randomness shared only by the sender and the legitimate receiver.