Tight bounds for unconditional authentication protocols in the manual channel and shared key models

Moni Naor, Gil Segev, Adam Davison Smith

Research output: Contribution to journalArticle

8 Citations (Scopus)

Abstract

We address the message authentication problem in two seemingly different communication models. In the first model, the sender and receiver are connected by an insecure channel and by a low-bandwidth auxiliary channel, that enables the sender to "manually"authenticate one short message to the receiver (for example, by typing a short string or comparing two short strings). We consider this model in a setting where no computational assumptions are made, and prove that for any 0 < ε > there exists a log * n-round protocol for authenticating n-bit messages, in which only 2log (1/ε) + 0(1) bits are manually authenticated, and any adversary (even computationally unbounded) has probability of at most ε to cheat the receiver into accepting a fraudulent message. Moreover, we develop a proof technique showing that our protocol is essentially optimal by providing a lower bound of 2 log (1/ε) - )(1) on the required length of the manually authenticated string. The second model we consider is the traditional message authentication model. In this model, the sender and the receiver share a short secret key; however, they are connected only by an insecure channel.We apply the proof technique above to obtain a lower bound of log (1/∈ - O (1) on the required Shannon entropy of the shared key. This settles an open question posed by Gemmell and Naor (Advances in Cryptology-CRYPTO '93, pp. 355-367, 1993). Finally, we prove that one-way functions are necessary (and sufficient) for the existence of protocols breaking the above lower bounds in the computational setting.

Original languageEnglish (US)
Pages (from-to)2408-2425
Number of pages18
JournalIEEE Transactions on Information Theory
Volume54
Issue number6
DOIs
StatePublished - Jun 1 2008

Fingerprint

Authentication
recipient
entropy
Entropy
Bandwidth
communication
Communication

All Science Journal Classification (ASJC) codes

  • Information Systems
  • Computer Science Applications
  • Library and Information Sciences

Cite this

Naor, Moni ; Segev, Gil ; Smith, Adam Davison. / Tight bounds for unconditional authentication protocols in the manual channel and shared key models. In: IEEE Transactions on Information Theory. 2008 ; Vol. 54, No. 6. pp. 2408-2425.
@article{94685cadf5884c47913c5ce6a137da4a,
title = "Tight bounds for unconditional authentication protocols in the manual channel and shared key models",
abstract = "We address the message authentication problem in two seemingly different communication models. In the first model, the sender and receiver are connected by an insecure channel and by a low-bandwidth auxiliary channel, that enables the sender to {"}manually{"}authenticate one short message to the receiver (for example, by typing a short string or comparing two short strings). We consider this model in a setting where no computational assumptions are made, and prove that for any 0 < ε > there exists a log * n-round protocol for authenticating n-bit messages, in which only 2log (1/ε) + 0(1) bits are manually authenticated, and any adversary (even computationally unbounded) has probability of at most ε to cheat the receiver into accepting a fraudulent message. Moreover, we develop a proof technique showing that our protocol is essentially optimal by providing a lower bound of 2 log (1/ε) - )(1) on the required length of the manually authenticated string. The second model we consider is the traditional message authentication model. In this model, the sender and the receiver share a short secret key; however, they are connected only by an insecure channel.We apply the proof technique above to obtain a lower bound of log (1/∈ - O (1) on the required Shannon entropy of the shared key. This settles an open question posed by Gemmell and Naor (Advances in Cryptology-CRYPTO '93, pp. 355-367, 1993). Finally, we prove that one-way functions are necessary (and sufficient) for the existence of protocols breaking the above lower bounds in the computational setting.",
author = "Moni Naor and Gil Segev and Smith, {Adam Davison}",
year = "2008",
month = "6",
day = "1",
doi = "10.1109/TIT.2008.921691",
language = "English (US)",
volume = "54",
pages = "2408--2425",
journal = "IEEE Transactions on Information Theory",
issn = "0018-9448",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
number = "6",

}

Tight bounds for unconditional authentication protocols in the manual channel and shared key models. / Naor, Moni; Segev, Gil; Smith, Adam Davison.

In: IEEE Transactions on Information Theory, Vol. 54, No. 6, 01.06.2008, p. 2408-2425.

Research output: Contribution to journalArticle

TY - JOUR

T1 - Tight bounds for unconditional authentication protocols in the manual channel and shared key models

AU - Naor, Moni

AU - Segev, Gil

AU - Smith, Adam Davison

PY - 2008/6/1

Y1 - 2008/6/1

N2 - We address the message authentication problem in two seemingly different communication models. In the first model, the sender and receiver are connected by an insecure channel and by a low-bandwidth auxiliary channel, that enables the sender to "manually"authenticate one short message to the receiver (for example, by typing a short string or comparing two short strings). We consider this model in a setting where no computational assumptions are made, and prove that for any 0 < ε > there exists a log * n-round protocol for authenticating n-bit messages, in which only 2log (1/ε) + 0(1) bits are manually authenticated, and any adversary (even computationally unbounded) has probability of at most ε to cheat the receiver into accepting a fraudulent message. Moreover, we develop a proof technique showing that our protocol is essentially optimal by providing a lower bound of 2 log (1/ε) - )(1) on the required length of the manually authenticated string. The second model we consider is the traditional message authentication model. In this model, the sender and the receiver share a short secret key; however, they are connected only by an insecure channel.We apply the proof technique above to obtain a lower bound of log (1/∈ - O (1) on the required Shannon entropy of the shared key. This settles an open question posed by Gemmell and Naor (Advances in Cryptology-CRYPTO '93, pp. 355-367, 1993). Finally, we prove that one-way functions are necessary (and sufficient) for the existence of protocols breaking the above lower bounds in the computational setting.

AB - We address the message authentication problem in two seemingly different communication models. In the first model, the sender and receiver are connected by an insecure channel and by a low-bandwidth auxiliary channel, that enables the sender to "manually"authenticate one short message to the receiver (for example, by typing a short string or comparing two short strings). We consider this model in a setting where no computational assumptions are made, and prove that for any 0 < ε > there exists a log * n-round protocol for authenticating n-bit messages, in which only 2log (1/ε) + 0(1) bits are manually authenticated, and any adversary (even computationally unbounded) has probability of at most ε to cheat the receiver into accepting a fraudulent message. Moreover, we develop a proof technique showing that our protocol is essentially optimal by providing a lower bound of 2 log (1/ε) - )(1) on the required length of the manually authenticated string. The second model we consider is the traditional message authentication model. In this model, the sender and the receiver share a short secret key; however, they are connected only by an insecure channel.We apply the proof technique above to obtain a lower bound of log (1/∈ - O (1) on the required Shannon entropy of the shared key. This settles an open question posed by Gemmell and Naor (Advances in Cryptology-CRYPTO '93, pp. 355-367, 1993). Finally, we prove that one-way functions are necessary (and sufficient) for the existence of protocols breaking the above lower bounds in the computational setting.

UR - http://www.scopus.com/inward/record.url?scp=45249091426&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=45249091426&partnerID=8YFLogxK

U2 - 10.1109/TIT.2008.921691

DO - 10.1109/TIT.2008.921691

M3 - Article

VL - 54

SP - 2408

EP - 2425

JO - IEEE Transactions on Information Theory

JF - IEEE Transactions on Information Theory

SN - 0018-9448

IS - 6

ER -