Repeated use of codes which detect deception (Corresp.)

A sender A wants to send N messages x_{i} = 1 , \ldots ,N , chosen from a set containing M different possible messages, M > N , to a receiver B . Every x_{i} has to pass through the hands of a dishonest messenger C . Therefore A and B agree on a mathematical transformation f and a secret parameter, or key k , that will be used to produce the authenticator y_{i} = f(x_{i} , k ) , which is sent together with x . The key is chosen at random from a set of L elements. C knows f and can find all elements in the set G(x_{i},y_{i}) = \{k|f(x_{i}, k) = y_{i}\} given enough time and computer resources. C wants to change x_{i} \into x^{\prime} without B suspecting. This means that C must find the new anthenticator y^{\prime} = f(x^{\prime} , k) . Since G(x_{i},y_{i}) can be found for any (x_{i},y_{i}) , it is obvious that C will always succeed unless G(x_{i},y_{i}) contains more than one element. Here it is proved that the average probability of success for C is minimized if (a) G(x_{i}, y_{i}) contains L^{(N-1)/N} elements and (b) each new known pair (x_{j}, y_{j}) will diminish this set of solutions by a factor of L^{-l/N} . The minimum average probability will then be L^{-l/N} .