Tight Bounds for Unconditional Authentication Protocols in the Manual Channel and Shared Key Models

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4117)


We address the message authentication problem in two seemingly different communication models. In the first model, the sender and receiver are connected by an insecure channel and by a low-bandwidth auxiliary channel, that enables the sender to “manually” authenticate one short message to the receiver (for example, by typing a short string or comparing two short strings). We consider this model in a setting where no computational assumptions are made, and prove that for any 0 < ε< 1 there exists a log* n-round protocol for authenticating n-bit messages, in which only 2 log(1 /ε) + O(1) bits are manually authenticated, and any adversary (even computationally unbounded) has probability of at most ε to cheat the receiver into accepting a fraudulent message. Moreover, we develop a proof technique showing that our protocol is essentially optimal by providing a lower bound of 2 log(1/ ε) – 6 on the required length of the manually authenticated string.

The second model we consider is the traditional message authentication model. In this model the sender and the receiver share a short secret key; however, they are connected only by an insecure channel. Once again, we apply our proof technique, and prove a lower bound of 2 log(1/ ε) – 2 on the required Shannon entropy of the shared key. This settles an open question posed by Gemmell and Naor (CRYPTO ’93).

Finally, we prove that one-way functions are essential (and sufficient) for the existence of protocols breaking the above lower bounds in the computational setting.


Hash Function Authentication Protocol Tight Bound Message Authentication Input Message 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Barak, B.: Constant-round coin-tossing with a man in the middle or realizing the shared random string model. In: 43rd FOCS, pp. 345–355 (2002)Google Scholar
  2. 2.
  3. 3.
    Certified Wireless USB,
  4. 4.
    Di Crescenzo, G., Ishai, Y., Ostrovsky, R.: Non-interactive and non-malleable commitment. In: 30th STOC, pp. 141–150 (1998)Google Scholar
  5. 5.
    Di Crescenzo, G., Katz, J., Ostrovsky, R., Smith, A.: Efficient and non-interactive non-malleable commitment. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 40–59. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  6. 6.
    Dolev, D., Dwork, C., Naor, M.: Non-malleable cryptography. SIAM Journal on Computing 30(2), 391–437 (2000)zbMATHCrossRefMathSciNetGoogle Scholar
  7. 7.
    Gehrmann, C.: Cryptanalysis of the gemmell and naor multiround authentication protocol. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 121–128. Springer, Heidelberg (1994)Google Scholar
  8. 8.
    Gehrmann, C., Mitchell, C.J., Nyberg, K.: Manual authentication for wireless devices. RSA Cryptobytes 7, 29–37 (2004)Google Scholar
  9. 9.
    Gemmell, P.S., Naor, M.: Codes for interactive authentication. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 355–367. Springer, Heidelberg (1994)Google Scholar
  10. 10.
    Gilbert, E., MacWilliams, F.J., Sloane, N.: Codes which detect deception. Bell System Technical Journal 53(3), 405–424 (1974)MathSciNetGoogle Scholar
  11. 11.
    Impagliazzo, R., Luby, M.: One-way functions are essential for complexity based cryptography. In: 30th FOCS, pp. 230–235 (1989)Google Scholar
  12. 12.
    Laur, S., Asokan, N., Nyberg, K.: Efficient mutual data authentication using manually authenticated strings. Cryptology ePrint Archive, Report 2005/424 (2005)Google Scholar
  13. 13.
    Maurer, U.M.: Authentication theory and hypothesis testing. IEEE Transactions on Information Theory 46(4), 1350–1356 (2000)zbMATHCrossRefMathSciNetGoogle Scholar
  14. 14.
    Naor, M., Rothblum, G.N.: The complexity of online memory checking. In: 46th FOCS, pp. 573–584 (2005)Google Scholar
  15. 15.
    Naor, M., Segev, G., Smith, A.: Tight bounds for unconditional authentication protocols in the manual channel and shared key models. Cryptology ePrint Archive, Report 2006/175 (2006)Google Scholar
  16. 16.
    Pass, R., Rosen, A.: New and improved constructions of non-malleable cryptographic protocols. In: 37th STOC, pp. 533–542 (2005)Google Scholar
  17. 17.
    Simmons, G.J.: Authentication theory/Coding theory. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 411–431. Springer, Heidelberg (1985)CrossRefGoogle Scholar
  18. 18.
    Simmons, G.J.: The practice of authentication. In: Pichler, F. (ed.) EUROCRYPT 1985. LNCS, vol. 219, pp. 261–272. Springer, Heidelberg (1986)CrossRefGoogle Scholar
  19. 19.
    Vaudenay, S.: Secure communications over insecure channels based on short authenticated strings. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 309–326. Springer, Heidelberg (2005)Google Scholar
  20. 20.
    Wegman, M.N., Carter, L.: New hash functions and their use in authentication and set equality. Journal of Computer and System Sciences 22(3), 265–279 (1981)zbMATHCrossRefMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  1. 1.Department of Computer Science and Applied MathematicsWeizmann Institute of ScienceRehovotIsrael

Personalised recommendations