### Abstract

We address the message authentication problem in two seemingly different communication models. In the first model, the sender and receiver are connected by an insecure channel and by a low-bandwidth auxiliary channel, that enables the sender to "manually"authenticate one short message to the receiver (for example, by typing a short string or comparing two short strings). We consider this model in a setting where no computational assumptions are made, and prove that for any 0 < ε > there exists a log * n-round protocol for authenticating n-bit messages, in which only 2log (1/ε) + 0(1) bits are manually authenticated, and any adversary (even computationally unbounded) has probability of at most ε to cheat the receiver into accepting a fraudulent message. Moreover, we develop a proof technique showing that our protocol is essentially optimal by providing a lower bound of 2 log (1/ε) - )(1) on the required length of the manually authenticated string. The second model we consider is the traditional message authentication model. In this model, the sender and the receiver share a short secret key; however, they are connected only by an insecure channel.We apply the proof technique above to obtain a lower bound of log (1/∈ - O (1) on the required Shannon entropy of the shared key. This settles an open question posed by Gemmell and Naor (Advances in Cryptology-CRYPTO '93, pp. 355-367, 1993). Finally, we prove that one-way functions are necessary (and sufficient) for the existence of protocols breaking the above lower bounds in the computational setting.

Original language | English (US) |
---|---|

Pages (from-to) | 2408-2425 |

Number of pages | 18 |

Journal | IEEE Transactions on Information Theory |

Volume | 54 |

Issue number | 6 |

DOIs | |

State | Published - Jun 1 2008 |

### Fingerprint

### All Science Journal Classification (ASJC) codes

- Information Systems
- Computer Science Applications
- Library and Information Sciences

### Cite this

*IEEE Transactions on Information Theory*,

*54*(6), 2408-2425. https://doi.org/10.1109/TIT.2008.921691

}

*IEEE Transactions on Information Theory*, vol. 54, no. 6, pp. 2408-2425. https://doi.org/10.1109/TIT.2008.921691

**Tight bounds for unconditional authentication protocols in the manual channel and shared key models.** / Naor, Moni; Segev, Gil; Smith, Adam Davison.

Research output: Contribution to journal › Article

TY - JOUR

T1 - Tight bounds for unconditional authentication protocols in the manual channel and shared key models

AU - Naor, Moni

AU - Segev, Gil

AU - Smith, Adam Davison

PY - 2008/6/1

Y1 - 2008/6/1

N2 - We address the message authentication problem in two seemingly different communication models. In the first model, the sender and receiver are connected by an insecure channel and by a low-bandwidth auxiliary channel, that enables the sender to "manually"authenticate one short message to the receiver (for example, by typing a short string or comparing two short strings). We consider this model in a setting where no computational assumptions are made, and prove that for any 0 < ε > there exists a log * n-round protocol for authenticating n-bit messages, in which only 2log (1/ε) + 0(1) bits are manually authenticated, and any adversary (even computationally unbounded) has probability of at most ε to cheat the receiver into accepting a fraudulent message. Moreover, we develop a proof technique showing that our protocol is essentially optimal by providing a lower bound of 2 log (1/ε) - )(1) on the required length of the manually authenticated string. The second model we consider is the traditional message authentication model. In this model, the sender and the receiver share a short secret key; however, they are connected only by an insecure channel.We apply the proof technique above to obtain a lower bound of log (1/∈ - O (1) on the required Shannon entropy of the shared key. This settles an open question posed by Gemmell and Naor (Advances in Cryptology-CRYPTO '93, pp. 355-367, 1993). Finally, we prove that one-way functions are necessary (and sufficient) for the existence of protocols breaking the above lower bounds in the computational setting.

AB - We address the message authentication problem in two seemingly different communication models. In the first model, the sender and receiver are connected by an insecure channel and by a low-bandwidth auxiliary channel, that enables the sender to "manually"authenticate one short message to the receiver (for example, by typing a short string or comparing two short strings). We consider this model in a setting where no computational assumptions are made, and prove that for any 0 < ε > there exists a log * n-round protocol for authenticating n-bit messages, in which only 2log (1/ε) + 0(1) bits are manually authenticated, and any adversary (even computationally unbounded) has probability of at most ε to cheat the receiver into accepting a fraudulent message. Moreover, we develop a proof technique showing that our protocol is essentially optimal by providing a lower bound of 2 log (1/ε) - )(1) on the required length of the manually authenticated string. The second model we consider is the traditional message authentication model. In this model, the sender and the receiver share a short secret key; however, they are connected only by an insecure channel.We apply the proof technique above to obtain a lower bound of log (1/∈ - O (1) on the required Shannon entropy of the shared key. This settles an open question posed by Gemmell and Naor (Advances in Cryptology-CRYPTO '93, pp. 355-367, 1993). Finally, we prove that one-way functions are necessary (and sufficient) for the existence of protocols breaking the above lower bounds in the computational setting.

UR - http://www.scopus.com/inward/record.url?scp=45249091426&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=45249091426&partnerID=8YFLogxK

U2 - 10.1109/TIT.2008.921691

DO - 10.1109/TIT.2008.921691

M3 - Article

VL - 54

SP - 2408

EP - 2425

JO - IEEE Transactions on Information Theory

JF - IEEE Transactions on Information Theory

SN - 0018-9448

IS - 6

ER -