Quantum Information Processing

, Volume 13, Issue 10, pp 2155–2170 | Cite as

Direct proof of security of Wegman–Carter authentication with partially known key

  • Aysajan Abidin
  • Jan-Åke Larsson


Information-theoretically secure (ITS) authentication is needed in quantum key distribution (QKD). In this paper, we study security of an ITS authentication scheme proposed by Wegman & Carter, in the case of partially known authentication key. This scheme uses a new authentication key in each authentication attempt, to select a hash function from an Almost Strongly Universal\(_2\) hash function family. The partial knowledge of the attacker is measured as the trace distance between the authentication key distribution and the uniform distribution; this is the usual measure in QKD. We provide direct proofs of security of the scheme, when using partially known key, first in the information-theoretic setting and then in terms of witness indistinguishability as used in the universal composability (UC) framework. We find that if the authentication procedure has a failure probability \(\varepsilon \) and the authentication key has an \(\varepsilon ^{\prime }\) trace distance to the uniform, then under ITS, the adversary’s success probability conditioned on an authentic message-tag pair is only bounded by \(\varepsilon +|\mathcal T |\varepsilon ^{\prime }\), where \(|\mathcal T |\) is the size of the set of tags. Furthermore, the trace distance between the authentication key distribution and the uniform increases to \(|\mathcal T |\varepsilon ^{\prime }\) after having seen an authentic message-tag pair. Despite this, we are able to prove directly that the authenticated channel is indistinguishable from an (ideal) authentic channel (the desired functionality), except with probability less than \(\varepsilon +\varepsilon ^{\prime }\). This proves that the scheme is (\(\varepsilon +\varepsilon ^{\prime }\))-UC-secure, without using the composability theorem.


Authentication Strongly Universal hash functions Partially known key Trace distance Universal composability Quantum key distribution 


  1. 1.
    Abidin, A.: Weaknesses of Authentication in Quantum Cryptography and Strongly Universal Hash Functions. Linköping Studies in Science and Technology. Licentiate Thesis, Applied Mathematics, The Institute of Technology, Linköping University, (2010)Google Scholar
  2. 2.
    Abidin, A., Larsson, J.Å.: Vulnerability of “A novel protocol-authentication algorithm ruling out a man-in-the-middle attack in quantum cryptography”. Int. J. Quantum Inf. 7(5), 1047–1052 (2009)zbMATHCrossRefGoogle Scholar
  3. 3.
    Abidin, A., Larsson, J.Å.: New universal hash functions. In: Lucks, S., Armknecht, F. (eds.) WEWoRC 2011. LNCS, vol. 7242, pp. 99–108. Springer, Berlin (2012)Google Scholar
  4. 4.
    Atici, M., Stinson, D.R.: Universal hashing and multiple authentication. In: Koblitz, N. (ed.) CRYPTO ’96. LNCS, vol. 1109, pp. 16–30 (1996)Google Scholar
  5. 5.
    Bennett, C.H., Brassard, G.: Quantum cryptography: public key distribution and coin tossing. In: Proceedings of IEEE International Conference on Computers, Systems and Signal Processing, pp. 175–179. Bangalore, India (1984)Google Scholar
  6. 6.
    Bierbrauer, J., Johansson, T., Kabatianskii, G., Smeets, B.: On families of hash functions via geometric codes and concatenation. In: Stinson, D. (ed.) CRYPTO ’93. LNCS, vol. 773, pp. 331–342 (1994)Google Scholar
  7. 7.
    Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: Annual Symposium on Foundations of Computer Science—Proceedings, pp. 136–145 (2001)Google Scholar
  8. 8.
    Carter, L., Wegman, M.N.: Universal classes of hash functions. J. Comput. Syst. Sci. 18, 143–154 (1979)zbMATHMathSciNetCrossRefGoogle Scholar
  9. 9.
    Cederlöf, J., Larsson, J.Å.: Security aspects of the authentication used in quantum cryptography. IEEE Trans. Inf. Theory 54(4), 1735–1741 (2008)CrossRefGoogle Scholar
  10. 10.
    den Boer, B.: A simple and key-economical unconditional authentication scheme. J. Comput. Secur. 2, 65–72 (1993)Google Scholar
  11. 11.
    Ekert, A.K.: Quantum cryptography based on Bell’s theorem. Phys. Rev. Lett. 67, 661–663 (1991)zbMATHMathSciNetCrossRefADSGoogle Scholar
  12. 12.
    Feige, U., Shamir, A.: Witness indistinguishability and witness hiding protocols. In: Proceedings of the 22nd ACM Symposium on Theory of Computing, pp. 416–426 (1990)Google Scholar
  13. 13.
    Hirota, O.: Incompleteness and limit of quantum key distribution theory. arXiv:1208.2106v2 (2012)Google Scholar
  14. 14.
    Johansson, T., Kabatianskii, G., Smeets, B.: On the relations between A-codes and codes correcting independent errors. In: Stinson, D. (ed.) EUROCRYPT ’93. T. Helleseth, vol. 765, pp. 1–11 (1994)Google Scholar
  15. 15.
    Krawczyk, H.: LFSR-based hashing and authentication. In: Desmedt, Y. (ed.) CRYPTO ’94. LNCS, vol. 839, pp. 129–139 (1994)Google Scholar
  16. 16.
    Krawczyk, H.: New hash functions for message authentication. In: Guillou, L.C., Quisquater, J.J. (eds.) EUROCRYPT ’95. LNCS, vol. 921, pp. 301–310 (1995)Google Scholar
  17. 17.
    Pacher, C., Abidin, A., Lornser, T., Peev, M., Ursin, R., Zeilinger, A., Larsson, J.Å.: Attacks on quantum key distribution protocols that employ non-its authentication. arXiv:1209.0365 (2012)Google Scholar
  18. 18.
    Portmann, C.: Key recycling in authentication. arXiv:1202.1229v1 (2012)Google Scholar
  19. 19.
    Renner, R.: Reply to recent scepticism about the foundations of quantum cryptography. arXiv:1209.2423 (2012)Google Scholar
  20. 20.
    Stinson, D.R.: Combinatorial techniques for universal hashing. J. Comput. Syst. Sci. 48(2), 337–346 (1994). doi: 10.1016/S0022-0000(05)80007-8 Google Scholar
  21. 21.
    Stinson, D.R.: Universal hashing and authentication codes. In: Feigenbaum, J. (ed.) CRYPTO ’91. LNCS, vol. 576, pp. 74–85 (1992)Google Scholar
  22. 22.
    Stinson, D.R.: On the connections between universal hashing, combinatorial designs and error-correcting codes. Congr. Numer. 114, 7–27 (1996)zbMATHMathSciNetGoogle Scholar
  23. 23.
    Stinson, D.R.: Universal hash families and the leftover hash lemma, and applications to cryptography and computing. J. Combin. Math. Combin. Comput. 42, 3–31 (2002)zbMATHMathSciNetGoogle Scholar
  24. 24.
    Wegman, M.N., Carter, L.: New hash functions and their use in authentication and set equality. J. Comput. Syst. Sci. 22, 265–279 (1981)zbMATHMathSciNetCrossRefGoogle Scholar
  25. 25.
    Yuen, H.: On the foundations of quantum key distribution—reply to Renner and beyond. arXiv:1210.2804v1 (2012)Google Scholar

Copyright information

© Springer Science+Business Media New York 2013

Authors and Affiliations

  1. 1.Department of Electrical EngineeringLinköping UniversityLinköpingSweden

Personalised recommendations