## Key distribution:

Key distribution: Symmetric authentication systems (1) like for symmetric encryption systems Simple example (view of attacker) The outcome of tossing a coin (Head (H) or Tail (T)) shall be sent in an authenticated fashion: Security: e.g. attacker wants to send T. a) blind: get caught with a probability of 0.5 k x,MAC H,0 H,1 T,0 T,1 00 H - T - 01 H - - T 10 - H T - 11 - H - T b) seeing: e.g. attacker gets H,0 � k � {00, 01} still both, T,0 and T,1, have a probability of 0.5 159

Symmetric authentication systems (2) Definition “Information-theoretical security” with error probability �: �x, MAC (that attacker can see) �y � x (that attacker sends instead of x) � MAC' (where attacker chooses the one with the highest probability fitting y) W(k(y) = MAC' | k(x) = MAC ) � � (probability that MAC' is correct if one only takes the keys k which are still possible under the constraint of (x,MAC) being correct.) Improvement of the example: a) 2� key bits instead of 2: k = k 1 k 1 * ... k� k � * MAC = MAC 1,...,MAC �; MAC i calculated using k i k i* � error probability 2 -� b) l message bits: x (1) , MAC (1) = MAC 1 (1) , ... , MAC� (1) x ( l ) , MAC ( l ) = MAC1 ( l ) , ... , MAC� ( l ) 160

